Only allow certain countries traffic access specific page

Question

I am using --with-http_geoip_module for identify traffic. There are some pages that I only want certain country to access. Here is configuration:

For http

 http{
    geoip_country  /usr/share/GeoIP/GeoIP.dat; # the country IP database
    map $geoip_country_code $allowed_country {
            default 0;
            US 1;
            UK 1;
            HK 1; 

     }

  }

The location directive:

location = /testing {
            if ($allowed_country = 0) {

                    return 301 ;
              }
    }

The problem is when I using US/HK IPs, I get a 404 error. What did I done wrong?

UPDATE

Here is my complete conf file:

http {
include       /etc/nginx/mime.types;
default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

geoip_country  /usr/share/GeoIP/GeoIP.dat; # the country IP database

map $geoip_country_code $allowed_country {
        default 0;
        US 1;
        UK 1;
        HK 1; 

 }
sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

index   index.html index.htm;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
    listen       80 default_server;
    server_name  localhost;
    root         /var/www/html;

    include /etc/nginx/default.d/*.conf;

    location / {
        index index.php index.cgi index.pl index.html index.xhtml index.htm index.shtml;
        try_files $uri $uri/ /index.php?$args;
    }

    # redirect server error pages to the static page /40x.html
    #
    error_page  404              /404.html;
    location = /40x.html {
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }

    #ban specifc country
    location = /testing {
        if ($allowed_country = 0) {

                return 301 ;
          }
     }


    location ~ \.php$ {
        ### SET GEOIP Variables ###
        fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
        fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
        fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
        return 404;

        }
            try_files $uri $uri/ /index.php?$args;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
            fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi.conf;
            include conf/site.conf;
    } 

}
 }

Basically I want only visitor from US, UK and HK access /testing page.

show complete conf, that 404 is not a part of this limited conf. — itpp13, Jun 16 '15 at 10:28

score 26 · Accepted Answer · edited Jun 20 '20 at 09:12

Let's do it from beginning. As you didn't said what is your OS, all steps below will be separated for both Debian/Ubuntu and CentOS/Fedora/RHEL.

1. CONNECT TO SERVER:

First of all, connect to your server by terminal/console (in linux - ssh username@server_ip) or Putty (in windows).

2. VERIFY GEOIP MODULE:

As you have already installed NGINX check if it is compiled with the HttpGeoipModule:

CentOS/Fedora/RHEL and Debian/Ubuntu:

 nginx -V

And then try to find --with-http_geoip_module. If it exists then you can continue, else it means you have't compiled NGINX with GeoIP Module.

3. INSTALL GEOIP DATABASE:

Debian/Ubuntu:

sudo apt-get install geoip-database libgeoip1

CentOS/Fedora/RHEL:

It is in EPEL repository, so you should enable it first:

CENTOS 4:

32bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/4/i386/epel-release-4-10.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-4.rpm

64bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/4/x86_64/epel-release-4-10.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-4.rpm

CENTOS 5:

32bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

64bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
rpm –Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

CENTOS 6:

32bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

64bit:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

CENTOS 7:

64bit:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

Then:

yum install geoip geoip-devel -y

4. Update GeoIP Database

After installing GeoIP Module, the database will be stored in /usr/share/GeoIP/GeoIP.dat but it could be outdated. So, let's update:

mv /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat_bk

cd /usr/share/GeoIP/

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

gunzip GeoIP.dat.gz

Or, alternatively, you can download manually the database from http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz, extract on you computer and upload in /usr/share/GeoIP/ as GeoIP.dat. Don't forget to make a backup of old GeoIP.dat if you want to make as here.

5. Configuring NGINX with GeoIP

Open /etc/nginx/nginx.conf (Ubuntu/Debian) or /etc/nginx/conf/nginx.conf (CentOS/Fedora/RHEL) and place this inside http {}, before any include:

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
    default no;
    US yes;
    UK yes;
    HK yes;
}

This doesn't block countries. We only set $allowed_country.

Now, please open your virtualhost to configure (/etc/nginx/conf.d/YOURDOMAINHERE.conf) - place this inside server {}:

location /testing/ {
    if ($allowed_country = no) {
        return 403;
    }
}

/testing/ is your website path which is accessible from US, UK and HK.

6. Restarting NGINX

/etc/init.d/nginx reload

It was tested on both CentOS and Debian VPS and it is working.

Hope this will help you.

Thank you so much! Got this working on Ubuntu also and it works beautifully. The one heads up I needed to get this up and running was to load the geoip module with `load_module "modules/ngx_http_geoip_module.so";` in my server config before the `events` block. Also, setting up a cron job to keep the geoip data updated is probably a good idea. — cfx, May 26 '17 at 03:46
404 http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz GeoLite Legacy databases were discontinued on January 2, 2019. [read more](https://dev.maxmind.com/geoip/geoip2/geolite2/) The link should be thus changed to https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz — maljukan, Feb 28 '19 at 00:55
Major update: `ngx_mod_http_geoip` seems not compatible with Geolite2 databases https://serverfault.com/questions/865990/nginx-and-geolite2-not-working so... Houston... — maljukan, Feb 28 '19 at 01:05

Only allow certain countries traffic access specific page

1 Answers1

1. CONNECT TO SERVER:

2. VERIFY GEOIP MODULE:

3. INSTALL GEOIP DATABASE:

4. Update GeoIP Database

5. Configuring NGINX with GeoIP

6. Restarting NGINX